true if the access should be granted, false if it should be denied.
The null value indicates that the ACL does no rule for this Sid/Permission
combination. The caller can decide what to do—such as consulting the higher level ACL,
or denying the access (if the model is no-access-by-default.)